The Data Accountability and Trust Act

An anonymous reader writes "The U.S. House of Representatives will soon be considering the Data Accountability and Trust Act (DATA). If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of a breach. Under the proposals, if a breach does occur, a company must notify any customers concerned and the FTC, which can then demand an audit."

Re:Exemption...

[amliebsch]

There's an exemption if they encrypt their data - even if the encryption is lame or broken.

It doesn't say that! Stop making stuff up.

The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.

Now perhaps there are encryption algorithms approved by the NIST that you feel are not sufficiently strong - though you haven't given any examples - but to claim that you can use any old encryption algorithm is FUD, pure and simple.